As most of us know, yesterday hundreds of thousands of people converged to witness the swearing in of the 44th president of the United States, Barack Obama. My television was on in the background yesterday, and my radar couldn’t help but pick up on some of the details on the security of the event. After some research, I found that security was heightened not only because the first African-American president was being sworn in, but intelligence also discovered a threat from a Somalia-based group, al-Shabaab, that might have plans to travel to the U.S. and disrupt the inauguration. Already we have lessons that we can apply to the security of our networks and control systems, which is what I plan to outline in this posting.

First lesson, intelligence. Its critical to our success as defenders to understand the threats. This helps us evaluate risk, tune existing defenses, and plan, then implement new defenses. There are so many ways in which you can do this, such as reading blogs and online resources. Another great way is to either run, or read about, a Honeynet. The Honeynet Project is a great resource, and even has a series of papers titled “Know Your Enemy” which you can read here.

I was impressed with the collaboration of 58 federal, state and local agencies that worked together to protect Obama and keep the inauguration safe. It underscores the importance of communication and cooperation between organizations to help protect critical resources. This can take many forms, such as getting together for a conference such as Digital Bond’s 2009 S4 Conference. Also, be certain to keep the lines of communication open with organizations such as Infragard, US-CERT, and SANS ISC.

I found the following quotes provided insight into the success of the security at inauguration “Security expert Alan Bell said authorities have been planning for the inauguration for well over a year.” and “squad cars and utility vehicles swept along downtown streets even before dawn” This highlights the need to proper planning, security can’t be something that is always reactive. Yes, you do need to react in the heat of the moment, but much of your security should be in the protective and planning stages.

I find it interesting the level of effort and monetary expenditure that went into the security measures for in inauguration. My grandfather used to always tell me, “You get out of something what you put into it”, and this couldn’t be more true for the security world. Below are some examples of the security measures:

  • “Obama’s limousine, nicknamed “The Beast,” boasts heavy armour, run-flat tires, bulletproof glass and has a completely sealed interior in case of a biological or chemical attack.”
  • The streets were closed, stop lights were removed, waste baskets removed, and manhole covers welded shut
  • No aircraft were allowed to fly over the city, except for fighter jets on air patrol
  • All the buildings in the area were closed for at least 24 hours and had Secret Service snipers stationed inside them
  • People were prohibited from carrying certain items onto the Capitol grounds, such as Umbrellas

From the above you can see there are many trade-offs being made between security and convenience/cost. For example, Obama’s limousine doesn’t get great gas milage, no one was servicing the manholes until they could be cut open, flights took longer and were delayed, businesses potentially lost money from being closed, people got wet if it rained. These are often the decisions that go in the other direction in our organizations. We let users trade attachments, browse the Internet, and use USB keys. Maybe its time to start welding some of those manhole covers shut.

I really liked the intrusion detection system: “There will also be plainclothes officers in the crowds, one for every 100 people.” Wow, this is some serious monitoring and reconnaissance being done. To translate this to your own organizations, take a look at how many intrusion detection and prevention systems you have in your network. Is any one system going to detect all of the threats? No, but making sure you have adequate coverage is a key to success, and not just the number of IDSs, but the type and configuration as well.

Speaking of reconnaissance, I like this one: “A recent intelligence assessment, however, said a lone wolf would pose the greatest potential threat.” – Interesting, we talk about the botnet threat, teams of hackers working together, but if we look at how much damage a lone wolf could pose, its frightening. I think the toughest thing about this threat is detection. One person is often difficult to detect and collect intelligence on due to the small footprint. We can gather a lot of information about larger hacking groups, but what do we know about that “lone wolf” and his or her motives?

The inauguration security is a good excuse to evaluate risk in your organization and apply some of the lessons from a very successful implementation of security.